DESCRIPTION
The core contracts covered in this audit include ref-exchange in the https://github.com/ref-finance/ref-contracts/tree/main/ref-exchange. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we identified several issues as well as security suggestions that should be considered. The Ref Finance team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 4 potential issues in the smart contract. We also have 10 recommendations and 3 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Medium | Improper Account Unregistration | Software Security | Fixed |
| 2 | Medium | Lack of Storage Usage Check in function ft_on_transfer | Software Security | Fixed |
| 3 | Low | Unrestricted Referral Account | DeFi Security | Fixed |
| 4 | Medium | Incorrect Admin Fees Calculation in Simple Pool | DeFi Security | Fixed |
| 5 | - | Lack of Check on Guardians' Removal | Recommendation | Fixed |
| 6 | - | Two-Step Transfer of Privileged Account Ownership | Recommendation | Confirmed |
| 7 | - | Potential Elastic Supply Token Problem | Recommendation | Confirmed |
| 8 | - | Improper Check on the Admin Fees | Recommendation | Fixed |
| 9 | - | Lack of Check in retrieve_unmanaged_token() | Recommendation | Confirmed |
| 10 | - | Lack of Check on the Gas Used by migrate() | Recommendation | Fixed |
| 11 | - | Code Optimization (I) | Recommendation | Fixed |
| 12 | - | Code Optimization (II) | Recommendation | Fixed |
| 13 | - | Avoid Logging in View Functions | Recommendation | Fixed |
| 14 | - | Slippage Protection in Function add_liquidity | Recommendation | Fixed* |
| 15 | - | Delayed Price in Rated Swap Pool | Note | Confirmed |
| 16 | - | Timely Triggering update_token_rate() | Note | Confirmed |
| 17 | - | Sensitive Functions Managed by DAO | Note | Confirmed |
More details are provided in the audit report.